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Abstract. Bogdanov and Lee suggested a homomorphic public-key encryption scheme based on error 
O^ ' correcting codes. The underlying public code is a modified Reed-Solomon code obtained from inserting 

a zero submatrix in the Vandermonde generating matrix defining it. The columns that define this 

submatrix are kept secret and form a set L. We give here a distinguisher that detects if one or several 
^^ ' columns belong to L or not. This distinguisher is obtained by considering the code generated by 

component-wise products of codewords of the public code (the so called "square code"). This operation 

is applied to punctured versions of this square code obtained by picking a subset I of the whole set 
y^ ' of columns. It turns out that the dimension of the punctured square code is directly related to the 

cardinality of the intersection of I with L. This allows an attack which recovers the full set L and which 

can then decrypt any ciphertext. 
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\^ I The concept of homomorphic encryption was first proposed in 1978 in [RAD 78] , But it took more 

than three decades to see the first scheme of this kind [GenOQj . It is based on ideal lattices. Since 

<^ • then several proposals have been made, most of them rely on lattice theory. One challenging issue is 

^^ i to come up with a homomorphic encryption scheme using different security assumptions. Recently, 

the first symmetric homomorphic encryption scheme based on error-correcting codes was proposed 
in [AAPSll] . This work was then followed by |BL12] which can be considered as the first public- 

^ ', key homomorphic scheme based on coding theory. This particular cryptosystem heavily relies on 

properties of Reed-Solomon codes. These codes have been suggested for the first time in a public- 
key cryptosystem in [Nie86j but it was shown to be insecure in [;SS92]. The attack recovers the 
underlying Reed-Solomon allowing the decoding of any encrypted data obtained from a McEliece- 
type cryptosystem based on them. The McEliece cryptosystem |McE78j on the other hand uses 
Goppa codes. Since its apparition, it has withstood many attacks and after more than thirty years 
now, it still belongs to the very few unbroken public key cryptosystems. This situation substantiates 
the claim that inverting the encryption function, and in particular recovering the private key from 
public data, is intractable. 

No significant breakthrough has been observed with respect to the problem of recovering the 
private key [ Gib91|LS01] . This has led to claim that the generator matrix of a binary Goppa code 
does not disclose any visible structure that an attacker could exploit. This is strengthened by the fact 
that Goppa codes share many characteristics with random codes: for instance they asymptotically 
meet the Gilbert- Varshamov bound, they typically have a trivial permutation group, etc. Hence, 
the hardness of the Goppa code distinguishing problem, which asks whether a Goppa code can be 
distinguished from a random code, has become a classical belief in code-based cryptography, and 
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as a consequence, a mandatory assumption to prove semantic security in the random oracle model 
[NIKM08] ■ CCA2 security in the standard model |DMQN09l and security in the random oracle 
model against existential forgery |CFS01|Dal07j of the signature scheme |CFS01| . 

In [FGO"*"!! , an algorithm that manages to distinguish between a random code and a Goppa 



code has been introduced. This work without undermining the security of |McE78] prompts to 
wonder whether it would be possible to devise an attack based on such a distinguisher. It was 
found out in |MCP12j that our distinguisher [FGO"'"ll] has an equivalent but simpler description 
in terms of the component- wise product of codes. This notion was first put forward in coding 
theory to unify many different algebraic decoding algorithms [Pel92 jKot92j . This distinguisher is 
even more powerful in the case of Reed-Solomon codes than for Goppa codes because, whereas for 
Goppa codes it is only successful for rates close to 1, it can distinguish Reed-Solomon codes of any 
rate from random codes. In the specific case of |BL12j . the underlying public code is a modified 
Reed-Solomon code obtained from inserting a zero submatrix in the Vandermonde generating matrix 
defining it and in this case our distinguisher leads to an attack. We present namely in this paper 
a key-recovery attack on the Bogdanov-Lee homomorphic scheme based on the version of our 
distinguisher presented in [MCP12] . Our attack runs in polynomial time and is efficient: it only 
amounts to calculate the ranks of certain matrices derived from the public key. 

More precisely, in their cryptosystem the columns that define the zero submatrix are kept secret 
and form a set L. We give here a distinguisher that detects if one or several columns belong to 
L or not. This distinguisher is obtained by considering the code generated by component- wise 
products of codewords of the public code (the so called "square code"). This operation is applied to 
punctured versions of this square code obtained by picking a subset / of the whole set of columns. 
It turns out that the dimension of the punctured square code is directly related to the cardinality 
of the intersection of I with L. This allows an attack which recovers the full set L and which can 
then decrypt any ciphertext. 

It should also been pointed out that the properties of Reed-Solomon codes with respect to the 
component- wise product of codes have already been used to cryptanalyze a McEliece scheme based 
on subcodes of Reed-Solomon codes |WielO| . The use of this product is nevertheless different in 
[WielO] from the way we use it here. Note also that our attack is not an adaptation of the Sidelnikov 
and Shestakov approach |SS92] . Our approach is completely new: it illustrates how a distinguisher 
that detects an abnormal behaviour can be used to recover the private key. 

In Section [2] we recall important notions from coding theory. In Section [3] we introduce the 
cryptosystem and in Section U] we present the key recovery attack. 

2 Reed-Solomon codes and the square code 

We recall in this section a few relevant results and definitions from coding theory and bring in the 
fundamental notion which is used in the attack, namely the square code. A linear code "^ of length 
n and dimension k over a finite field GF{q) of q elements is a subspace of dimension k of the full 
space GF{q)'^. It is generally specified by a full-rank matrix called a generator matrix which is a 
k X n matrix G (with k < n) over GF{q) whose rows span the code: 



'if=\uG\ue 



GF{q)''}. 



It can also be specified by a parity- check matrix H, which is a matrix whose right kernel is equal 
to the code, that is 

^ = {a; G GFiq)"" \Hx^ = O} , 
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where x^ stands for the column vector which is the transpose of the row vector x. The rate of 
the code is given by the ratio -. Code-based pubhc-key cryptography focuses on hnear codes that 
have a polynomial time decoding algorithm. The role of decoding algorithms is to correct errors 
of prescribed weight. We say that a decoding algorithm corrects t errors if it recovers u from the 
knowledge of uG + e for all possible e G F" of weight at most t. 

Reed-Solomon codes form a special case of codes with a very powerful low complexity decoding 
algorithm. It will be convenient to use the definition of Reed-Solomon codes and generalized Reed- 
Solomon codes as evaluation codes 

Definition 1 (Reed-Solomon code and generalized Reed-Solomon code). Let k and n he 

integers such that 1 ^ k < n ^ q where q is a power of a prime number. Let x = (xi, . . . , x„) be an 
n-tuple of distinct elements ofGF(q). The Reed-Solomon code RSfc(a;) of dimension k is the set of 
{p{xi), . . . ,pixn)) when p ranges over all polynomials of degree ^ k — 1 with coefficients in GF{q). 
The generalized Reed-Solomon code GRSfc(a;,y) of dimension k is associated to a couple {x,y) € 
GF(q)'^ X GF{q)'^ where x is chosen as above and the entries yi are arbitrary non zero elements 
in GF[q). It is defined as the set of {yip{xi), . . . ,ynP{xn)) where p ranges over all polynomials of 
degree ^k — 1 with coefficients in GF{q). 

Generalized Reed-Solomon codes are quite important in coding theory due to the conjunction 
of several factors such as : 

(i) their minimum distance d is maximal among all codes of the same dimension and length since 
they are MDS codes (their distance is equal to n — A; + 1), 

(ii) they can be efficiently decoded in polynomial time when the number of errors is less than or 
equal to [^J = [^J. 

It has been suggested to use them in a public-key cryptosystem for the first time in |Nie86j but 
it was discovered that this scheme is insecure in |SS92] . Sidelnikov and Shestakov namely showed 
that it is possible to recover in polynomial time for any generalized Reed-Solomon code a possible 
couple {x,y) which defines it. This is all what is needed to decode efficiently such codes and is 
therefore enough to break the Niederreiter cryptosystem suggested in |Nie86j or a McEliece type 
cryptosystem [McE78) when Reed-Solomon are used instead of Goppa codes. 

We could not find a way to adapt the Sidelnikov and Shestakov approach for cryptanalyzing the 
Bogadnov and Lee cryptosystem. However a Reed-Solomon displays a quite peculiar property with 
respect to the component- wise product which is denoted by a • 6 for two vectors a = (ai, . . . , a„) 

and b = (6i, . . . , 6„) and which is defined by a*b = (aibi, . . . ,anbn)- This can be seen by bringing 
in the following definition 

Definition 2 (star product of two codes, square code). Let £/ and SS be two codes of length 
n. The star product code denoted by < £/ -k ^ > of s^ and !^ is the vector space spanned by all 
products a^b where a and b range over s^ and ^ respectively. When !^ = .s^ , < s^ -k.s^ > is called 
the square code of s^ and is denoted by < s^'^ > . 

It is clear that < s^ -k SS > \^ also generated by the aj -k bj's where the a,'s and the &j's form a 
basis of s^ and SS respectively. Therefore 

Proposition 1. 

d\m{< £/ -k,^ >) < dim{£/)dim{,^). 

We expect that the square code when applied to a random linear code should be a code of dimension 
of order min < ( ^ ) > '^ f • Actually by using the proof technique of FG0"'"11 it can be shown for 



instance that with probability going to 1 as A; tends to infinity, the square code is of dimension 
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min "^ ( 2 ) (-'^ "I" '^(l))' ^ f when k is of the form k = o(n^' ^). On the other hand generaHzed Reed 
Solomon codes behave in a completely different way 

Proposition 2. < G'RSk{x,y)'^ >= G'RS2k-i{x, y -k y) . 

This follows immediately from the definition of a generalized Reed Solomon code as an evaluation 
code since the star product of two elements c = {yip{xi), . . . , ynP{xn)) and c' = (yi9(xi), . . . , ynQixn)) 
of GRSfc(a;, y) where p and q are two polynomials of degree at most A; — 1 is of the form 



c* c 



•' = {yiP{xi)q{x2), . . . , ylp{xn)q{xn)) = {yjr{xi), . . . , ylr{xn)) 



where r is a polynomial of degree < 2k— 2. Conversely, any element of the form {yfr{xi), . . . , y'^r{xn)) 
where r is a polynomial of degree less than or equal to 2A; — 1 is a linear combination of star products 
of two elements of GRSjt(a;, y). 

This proposition shows that the square code is only of dimension 2k — 1 when 2/c — 1 < n, which 
is quite unusual. This property can also be used in the case 2A; — 1 > n. To see this, consider the 
dual of the Reed-Solomon code. The dual '^ of a code "^ of length n over GF{q) is defined by 

^^ = {xe GF{qr\{x, y)=0,ye^}, 

where {x, y) = Y1 ^lyi stands for the standard inner product between elements of GF{q)'^. The dual 
of a generalized Reed-Solomon code is itself a generalized Reed-Solomon code, see |MS86t Theorem 
4, p.304] 

Proposition 3. 

GYiSk{x,y)^ = GYiSn-k{x,y') 

where the length of GIiSkix,y) is n and y' is a certain element ofGF(q)'^ depending on x and y. 

Therefore when 2fc — 1 > n a Reed-Solomon code GRSfc(a;, y) can also be distinguished from a 
random linear code of the same dimension by computing the dimension of < (GRSfc(£c,2/) ) >. 
We have in this case 

< (GRSfe(a;,2/)^)' >=< GYiSn-k{x,y'f >=< GIiS2n-2k-i{x,y' *y') > 

and we obtain a code of dimension 2n — 2k — 1. 

The star product of two codes is the fundamental notion used in the decoding algorithm based 
on an error correcting pair |Pel92|Kot92j which unifies common ideas to many algebraic decoding 
algorithms. It has been used for the first time to cryptanalyze a McEliece scheme based on subcodes 
of Reed-Solomon codes |WielO| . The use of the star product is nevertheless different in [WielO| from 
the way we use it here. In this paper, the star product is used to identify for a certain subcode 'tf of 
a generalized Reed-Solomon code GRSfc(a;, y) a possible pair {x, y). This is achieved by computing 
< "^^ > which in the case which is considered turns out to be equal to < GRSfe(a;,y)^ > which 
is equal to GRS2fc-i(ic, ^ * ^). The Sidelnikov and Shestakov is then used on < ^^ > to recover 
a possible {x,y-ky) pair to describe < "^^ > as a generalized Reed-Solomon code. From this, a 
possible {x,y) pair for which ^ C GRSfc(a:;,^) is deduced. 
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3 The Bogdanov-Lee Cryptosystem 



The cryptosystem proposed by Bogdanov and Lee in |BL12] is a public-key homomorphic encryption 
scheme based on hnear codes. It encrypts a plaintext m from GF{q) into a ciphertext c that belongs 
to GF{q)^ where n is a given integer. The key generation requires a non-negative integer i such 
that 31 < n and a subset L of {1, . . . , n} of cardinality 3i. A set of n distinct elements xi, . . . , x„ 
from GF{q) are generated at random. They serve to construct a k xn matrix G whose i-th column 
Gj (1 ^ i ^ n) is defined by: 



G^ =^ 



[Xi, X^ ^ . . 
, \Xi, Xj^, . . 



,4,0,... ,0) 



.^+1 



if z G L 



ifi^L 



where the symbol ^ stands for the transpose. 

In other words, when L is the set {1, . . . , 3i}, G is the following matrix: 

/xi ... X3£X3^+i ... Xn \ 



• • • -^Si -^3^+1 • • • -^n 



... X^g_^-^ . . . X 



e+1 



Vo 



X 



31+1 ■ ■ ■ 



^i I 



The cryptosystem is now defined as follows. 

Secret key: {L,G). 

Public key: P = SG where S \s a k x k random invertible matrix over GF{q). 
Encryption: the ciphertext c G GF{q)^ of a plaintext m G GF{q) is obtained by picking x 
in GF{q)^ uniformly at random and e in GF{q)" by choosing its components according to a 



certain distribution fj, then computing c 
vector. 



dcf 



xP + ml + e where 1 G GF{q)^ is the all-ones row 



def 



— Decryption: the linear system ([T]) is solved for y = (yi, . . . ,y„) G GF{q)^: 






ieL 



(1) 



Hi = for all i ^ L. 



The plaintext is ttt, = > 



2/iCi. 



The decryption algorithm will output the correct plaintext when i and n are chosen such that 
the entry Cj at position i of the error vector is zero when i & L. The distribution ry which is used 
to draw at random the coordinates of e is chosen such that this property holds with very large 
probability. To check the correctness of the algorithm when this property on e holds, notice that 
the linear system ([T]) has 3i unknowns and i + 1 equations and since it is by construction of rank 
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i + 1, it always admits at least one solution. Then observe that 



^ ViCi = {xP + ml + e)y'^ 

i=l 

= {xP + ml)y^ (since e^ = if i G L and y^ = if i ^ L) 

n 

= xSGy^ + m^yi 



i=l 

m ' ' " 



(since Gy = and y, Ui = ^)- 



i=l 



The parameters k,q,i and the noise distribution fj are chosen such as 

- (7 = 12(2""); 

- A: = (ni-°/8) ; 

- the noise distribution fj is the g-ary symmetric channel with noise rate rj = (l/n^~"'^), that 
is Prob(ej = 0) = 1 — r/ and Prob(ej = x) = -^ for any x in GF{q) different from zero; 

- t = e (n"/4) ; 

where a is some constant in the range (0, -g\. It is readily checked that the probability that ej 7^ 

/ a/4 \ 

for i G L is vanishing as n goes to infinity since it is upper-bounded by r/^ = ( "_„/4 1 = 
(9(n-i+°/2) =0(1). 

4 An efficient attack on the Bogdanov-Lee homomophic cryptosystem 

4.1 Outline 

The attack consists in first recovering the secret set L and from here finds directly a suitable vector 
y by solving the system 

' Py'' =0 

< Y.yi = ^ (2) 

^Vi =0 for all i ^ L. 

Indeed, requiring that Py^ = is equivalent to SGy^ = and since S is invertible this is 
equivalent to the equation Gy^ = 0. Therefore System ([2|) is equivalent to the "secret" system ([1]). 
An attacker may therefore recover m without even knowing G just by outputting ^^ yiCi for any 
solution ?/ of ([2|). In the following subsection, we will explain how L can be recovered from P in 
polynomial time. 

4.2 Recovering L 

Our attack relies heavily on the fact that the public matrix may be viewed as a the generator matrix 
of a code ^ which is quite close to a generalized Reed-Solomon code (or to a Reed-Solomon if a 
row consisting only of I's is added to it). Notice that any punctured version of the code has also 
this property (a punctured code consists in keeping only a fixed subset of positions in a codeword). 
More precisely, let us introduce 
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Definition 3. For any / C {1, . . 

the subset of GF[qy ' defined as: 



, n} of cardinality \I\, the restriction of a code £/ of length n is 



£/j 



def 



\v G GF{q)\^\ 1 3a G ^,u = (a,),^/}. 



The results about the unusual dimension of the square of a Reed-Solomon codes which are given 
in Section [2] prompt us to study the dimension of the square code < '^^ > or more generally the 
dimension of < '^f >. When / contains no positions in L, then 'loi is nothing but a generalized 
Reed-Solomon code and we expect a dimension of 2A; — 1 when |/| is larger than 2k — 1. On the other 
hand, when there are positions in / which also belong to L we expect the dimension to become 
bigger and the dimension of < ^^ > to behave as an increasing function of \I D L\. This is exactly 
what happens as shown in the proposition below. 



Proposition 4. Let I be a subset of {1, . . . ,n} and set J 

satisfy \J\ ^ i — 1 and \I\ — \J\ ^ 2k then 



def 



I D L. If the cardinality of I and J 



dim{< ^/ >) 



2A;-1 + |J|. 



(3) 



The proof of this proposition can be found in Appendix [A) An attacker can exploit this propo- 
sition to mount a distinguisher that recognizes whether a given position belongs to the secret set L. 
At first a set / which satisfies with high probability the assumptions of Proposition |4] is randomly 



chosen. Take for instance |/| = 3A;. Then dj 
removed from / to get a new set /' and d/' 
cases are then: 



def 



dim(< ^f >) is computed. Next, one element x is 
dim(< 'i^f, >) is computed. The only two possible 



1. if X ^ L then dj/ = di 

2. and if x G L then dp - 



di -1. 



By repeating this procedure, the whole set J = / n L is easily recovered. The next step now is to 
find all the elements of L that are not in /. One solution is to exchange one element in / \ J by 
another element in {1, . . . , n}\/ and compare the values of dj. If it increases, it means that the new 
element belongs to L. At the end of this procedure the set L is totally recovered. This probabilistic 
algorithm is obviously of polynomial time complexity and breaks completely the homomorphic 
scheme suggested in |BL12] . 
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A Proof of Proposition [4] 

The proof of Proposition [5] proceeds by exhibiting a basis of the hnear space < 'laf >. For this 
purpose we define for any i in {1, ... , k}, X* = (x*)ig/ and Y^ = {Yl)i^i with: 

f if i G J 

yt def 

[ X • if i e / \ J. 

Notice that "^z is the vector space spanned by the X*'s for 1 ^t ^ i and the "K*'s for i + 1 ^t ^k. 
The proof of Proposition [4] starts by giving a generating set for < 'lof >. 

Lemma 1. < "^^ > is generated by the set of vectors X* for 2 ^ t ^ 2i and Y^ for i + 2 ^ t ^ 2k. 

Proof. Let us define: 



yt 4^f 



X* if 1 < i < 



1^* if £ + 1 ^ t ^ A;. 

Obviously, < "lof > is generated by the vectors Z'^ -k Z'^ where r and s range over {1, . . . , A;}. We 

notice now that 

f X'+" if r and s G {1,...,^} 
Z'i.Z'''^' \ 

(y'^+' ifr or s^ {!,...,£}. 

In particular, the following equality holds: 

(Z'' * Z^ I 1 ^ r ^ /t and 1 ^ s ^ /tj = |x* | 2 ^ i ^ 2£| |J |r* [ ^ + 2 ^ t ^ 2A;|. 



D 

The next step is to find some linear relations between the X*'s and the Y^'s. This is achieved 
by 

Lemma 2. If £ + \J\ + 2 ^ t ^ 2i, then X* belongs to the vector space generated by 

u {^M^"}uM- 

u=e+2 

Proof. We consider U as an indeterminate and we define the polynomials ^(U) and R{U) as ip{U) = 
Y\{U — Xi) and R{U) = ip{U)U^^^'^K The degree of R{U) is equal to t and hence satisfies deg(i?) ^ 

t 
2£. R{U) can also be viewed as the polynomial y. i"sU^ where each r^ belongs to GF{q) and 

S = t-\J\ 

t 
rt = 1. One can see that by construction of R{U) when i G J then R{xi) = y. '''sxl = 0. So if 

S=t-\J\ 

we denote by X| (resp. Yf) the entry of X* (resp. Y^) at position i we equivalently have when 

i G J: 

t t 

Y^ r,Xl= Y^ rsxt = R{x,)=0. 

S=t-\J\ S=t-\J\ 
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By the very definition of Yf whicli is equal to when i € J, we have that Yls=t~lJl '''^Yf = 0. On 
the other hand by definition of X^ and Y'^ , we also have that 

t t 

Y, r,Xt= ^ VsYt 

s=t-\J\ s=t-{J{ 

for i in I \J. Therefore in all cases we have 



Y^ rsXt= Y ^sYf, 
s=t-\J\ s=t-\J\ 

and since r^ = 1 we can write that: 

t t-i 

x'= Y ^-^'- E ^^^'- 

s=t—\J\ S=t—\J\ 

This concludes the proof of the lemma by noticing that t > \J\ + i + 2 implies that the s which 
appears in the sum above is larger than or equal to ^ + 2. D 

It remains to prove that the generating set obtained by removing the linear relations obtained 
in Lemma [2] is now an independent set. 

Proposition 5. Assume that \J\ < £ — I and \I\ — \J\ > 2k, then the set of X* 's with 2 ^ t ^ 
£ + \J\ + l and Y* 's with t + 2^t^2k form a basis of < ^/ >. 

Proof A consequence of Lemma [2] is that X* with 2^t^^-|-|J| + l and Y^ with £ + 2 ^ t ^ 2k 
generate the code < ')fj > but it remains to prove that they are linearly independent. For this 
purpose, let us assume that there exists a linear relation between them i.e., there exist Ug and bs 
in GF{q) for 2 ^ s ^ 2A; such that: 

e+\J\+^ 2fc 

s=2 s=i+2 

By setting a^ = for ^ + | J| + 2 ^ s ^ 2A; and 6^ = for 2 < s ^ ^ + 1, Equation (g]) can be 
rewritten as: 

2fc 

Y {asX' + bsY') = 0. (5) 

s=2 

2k 

Let us denote R{U) = Y.i'^s + bs)W . We know that \i i ^ J then l^f = Xf = xf for s in 

s=2 

{2, . . . , 2A;}. Therefore by Equation ([5]) we have R{xi) = for any i ^ J. As we have assumed that 
|/| — |J| ^ 2k, it implies that R{U) = or equivalently Og = —bg for all s. In particular a^ = 
for 2 ^ s ^ ^ + 1. On the other hand, when i G J, we have Yf = and Xf = xf for any s in 
{^ + 2, . . . , ^ + I J| + 1}. Hence when i £ J, Equation ^ leads in fact to: 

£+|J|+i 
E »sXI = 0. (6) 

s=e+2 
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^+|J|+1 
Now let us consider Q{U) = > clsU^ and observe that there exists some polynomial S{U) with 

s=i+2 

deg(S') ^ [ J[ — 1 such that: 

Q{U) = U^+^S{U). 

From Equation ([6]) we know that Q{xi) = for all i in J. Since all Xj's are different from 0, this 
implies that S{xi) = 0. Since deg(/S') ^ | J| — 1 this means that S{U) = 0, and therefore a^ = for 
all ^ + 2 ^ s ^ i + \J\ + 1. Then equation ^ holds if and only if all the coefficients a^ and 6s are 
zero, which means that X^ with 2^t^£+|J| + l and Y* with 1 + 2 ^t ^2k form indeed a basis 
of < 'lof > whose dimension is therefore 2k — 1 + \J\. D 

Proposition m immediately follows from Proposition [5] which characterises a basis of < 'lof >. 



